US9363282B1ActiveUtility

Platforms for implementing an analytics framework for DNS security

97
Assignee: INFOBLOX INCPriority: Jan 28, 2014Filed: Apr 21, 2014Granted: Jun 7, 2016
Est. expiryJan 28, 2034(~7.6 yrs left)· nominal 20-yr term from priority
H04L 63/1425H04L 63/0263H04L 63/0218H04L 2463/144H04L 63/1441H04L 61/1511H04L 61/4511
97
PatentIndex Score
90
Cited by
40
References
18
Claims

Abstract

Flux domain is generally an active threat vector, and flux domain behaviors are continually changing in an attempt to evade existing detection measures. Accordingly, new and improved techniques are disclosed for flux domain detection. In some embodiments, an online platform implementing an analytics framework for DNS security is provided for facilitating flux domain detection. For example, the online platform can implement an analytics framework for DNS security based on passive DNS traffic analysis, disclosed herein with respect to various embodiments.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A system for an online platform implementing an analytics framework for domain detection on passive DNS traffic, comprising:
 a processor configured to:
 receive a DNS data stream, the DNS data stream including a plurality of DNS messages related to a fully qualified domain name (FQDN); 
 process the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of the plurality of DNS messages and an entropy of resolved IP address related to the plurality of DNS messages, wherein:
 the loyalty value is determined based at least in part on:
 a number of resolved IP addresses relating to DNS responses associated with the plurality of DNS messages; 
 a number of unique resolved IP addresses relating to the DNS responses; and 
 an average time to live (TTL) of the plurality of DNS messages; and 
 
 the entropy of the resolved IP addresses related to the plurality of DNS messages is determined based at least in part on a distribution of at least a first two octets of a unique resolved IP address; 
 
 perform a mitigation action based on the bad network domain; 
 determine a host is an infected host based on detecting a DNS query request to the bad network domain from the host; and 
 perform another mitigation action based on the determined host; and 
 
 a memory coupled to the processor and configured to provide the processor with instructions. 
 
     
     
       2. The system recited in  claim 1 , wherein the DNS data stream includes DNS query and DNS response data. 
     
     
       3. The system recited in  claim 1 , wherein the bad network domain is associated with the FQDN. 
     
     
       4. The system recited in  claim 1 , wherein the processor is further configured to:
 determine a host is infected based on detecting a DNS query request to the bad network domain from the host. 
 
     
     
       5. The system recited in  claim 1 , wherein the mitigation action includes one or more of the following:
 generate a firewall rule based on the bad network domain; 
 configure a network device to block network communications with the bad network domain; and 
 quarantine an infected host, wherein the infected host is determined to be infected based on an association with the bad network domain. 
 
     
     
       6. The system recited in  claim 1 , wherein the processor is further configured to:
 identify a source IP address, a source host, or an attempt to query the bad network domain. 
 
     
     
       7. The system recited in  claim 1 , wherein the processor is further configured to:
 store the time series collection of passive DNS traffic data in an observation cache. 
 
     
     
       8. The system recited in  claim 1 , wherein the processor is further configured to:
 receive DNS data that is collected from an agent executed on a DNS appliance. 
 
     
     
       9. The system recited in  claim 1 , wherein the processor is further configured to:
 extract a plurality of features from the DNS data stream to determine whether a network domain is associated with a fast flux based on the extracted plurality of features. 
 
     
     
       10. The system recited in  claim 1 , wherein the entropy of the resolved IP addresses is determined based at least in part on a distribution of a first three octets of the unique resolved IP address. 
     
     
       11. A method of an online platform implementing an analytics framework for domain detection on passive DNS traffic, comprising:
 receiving a DNS data stream, the DNS data stream including a plurality of DNS messages related to a fully qualified domain name (FQDN); 
 processing the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of the plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages, wherein:
 the loyalty value is determined based at least in part on:
 a number of resolved IP addresses relating to DNS responses associated with the plurality of DNS messages; 
 a number of unique resolved IP addresses relating to the DNS responses; and 
 an average time to live (TTL) of the plurality of DNS messages; and 
 
 the entropy of the resolved IP addresses related to the plurality of DNS messages is determined based at least in part on a distribution of at least a first two octets of a unique resolved IP address; 
 
 performing a mitigation action based on the bad network domain; 
 determining a host is an infected host based on detecting a DNS query request to the bad network domain from the host; and 
 performing another mitigation action based on the infected host. 
 
     
     
       12. The method of  claim 11 , wherein the DNS data stream includes DNS query and DNS response data. 
     
     
       13. The method of  claim 11 , wherein the bad network domain is associated with the FQDN. 
     
     
       14. The method of  claim 11 , further comprising:
 determining a host is infected based on detecting a DNS query request to the bad network domain from the host. 
 
     
     
       15. A computer program product for an online platform implementing an analytics framework for domain detection on passive DNS traffic, the computer program product being embodied in a tangible non-transitory computer readable storage medium and comprising computer instructions for:
 receiving a DNS data stream, the DNS data stream including a plurality of DNS messages related to a fully qualified domain name (FQDN); 
 processing the DNS data stream to identify a bad network domain based on a behavioral analysis model applied to a time series collection of passive DNS traffic data, wherein the behavioral analysis model is determined based at least in part on a loyalty value of the plurality of DNS messages and an entropy of resolved IP addresses related to the plurality of DNS messages, wherein:
 the loyalty value is determined based at least in part on:
 a number of resolved IP addresses relating to DNS responses associated with the plurality of DNS messages; 
 a number of unique resolved IP addresses relating to the DNS responses; and 
 an average time to live (TTL) of the plurality of DNS messages; and 
 
 the entropy of the resolved IP addresses related to the plurality of DNS messages is determined based at least in part on a distribution of at least a first two octets of a unique resolved IP address; 
 
 performing a mitigation action based on the bad network domain; 
 determining a host is an infected host based on detecting a DNS query request to the bad network domain from the host; and 
 performing another mitigation action based on the infected host. 
 
     
     
       16. The computer program product recited in  claim 15 , wherein the DNS data stream includes DNS query and DNS response data. 
     
     
       17. The computer program product recited in  claim 15 , wherein the bad network domain is associated with the FQDN. 
     
     
       18. The computer program product recited in  claim 15 , further comprising computer instructions for:
 determining a host is infected based on detecting a DNS query request to the bad network domain from the host.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.